{"id":48026347,"url":"https://github.com/binbashar/terraform-aws-network-firewall","last_synced_at":"2026-04-04T13:50:40.760Z","repository":{"id":46898004,"uuid":"388937473","full_name":"binbashar/terraform-aws-network-firewall","owner":"binbashar","description":"Terraform module for creating AWS Network Firewall resources","archived":false,"fork":false,"pushed_at":"2022-10-17T23:20:53.000Z","size":193,"stargazers_count":9,"open_issues_count":0,"forks_count":7,"subscribers_count":10,"default_branch":"master","last_synced_at":"2024-05-01T09:52:01.201Z","etag":null,"topics":["bb-le-mod-terraform","binbash-terraform","terraform"],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/binbashar.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null},"funding":{"github":"binbashar"}},"created_at":"2021-07-23T22:05:42.000Z","updated_at":"2024-04-30T22:13:04.000Z","dependencies_parsed_at":"2023-01-20T02:56:55.089Z","dependency_job_id":null,"html_url":"https://github.com/binbashar/terraform-aws-network-firewall","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/binbashar/terraform-aws-network-firewall","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/binbashar%2Fterraform-aws-network-firewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/binbashar%2Fterraform-aws-network-firewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/binbashar%2Fterraform-aws-network-firewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/binbashar%2Fterraform-aws-network-firewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/binbashar","download_url":"https://codeload.github.com/binbashar/terraform-aws-network-firewall/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/binbashar%2Fterraform-aws-network-firewall/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31402276,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T10:20:44.708Z","status":"ssl_error","status_checked_at":"2026-04-04T10:20:06.846Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bb-le-mod-terraform","binbash-terraform","terraform"],"created_at":"2026-04-04T13:50:40.557Z","updated_at":"2026-04-04T13:50:40.713Z","avatar_url":"https://github.com/binbashar.png","language":"HCL","funding_links":["https://github.com/sponsors/binbashar"],"categories":[],"sub_categories":[],"readme":"\u003ca href=\"https://github.com/binbashar\"\u003e\n    \u003cimg src=\"https://raw.githubusercontent.com/binbashar/le-ref-architecture-doc/master/docs/assets/images/logos/binbash-leverage-banner.png\" width=\"1032\" align=\"left\" alt=\"Binbash\"/\u003e\n\u003c/a\u003e\n\u003cbr clear=\"left\"/\u003e\n\n# terraform-aws-network-firewall\n\n## Overview\n\nThis mdule creates AWS Network firewall resources, which includes:\n* Network Firewall\n* Network Firewall Policy\n* Network Firewall Stateless groups and rules\n* Network Firewall Stateful groups and rules\n* Use custom Suricata Rules\n* Use Managed Rules\n* Use “Strict, Drop Established” rule order\n* Use stateful rules instead of stateless rules\n* Use $HOME_NET\n\n\n## Example\n**Deny domain access**\n```\nmodule \"firewall\" {\n\n  source = \"github.com/binbashar/terraform-aws-network-firewall.git\"\n\n  name        = \"firewall\"\n  description = \"AWS Network Firewall example\"\n  vpc_id      = \"vpc-12345678910111213\"\n\n  subnet_mapping = {\n    us-east-1a = \"subnet-23456780101112131\"\n    us-east-1b = \"subnet-13121110987654321\"\n  }\n\n  # Stateless rule groups\n  stateless_rule_groups = {\n    stateless-group-1 = {\n      description = \"Stateless rules\"\n      priority    = 1\n      capacity    = 100\n      # stateless-group-1 rules\n      rules = [\n        {\n          priority  = 2\n          actions   = [\"aws:drop\"]\n          protocols = [1]\n          source = {\n            address = \"0.0.0.0/0\"\n          }\n          destination = {\n            address = \"0.0.0.0/0\"\n          }\n        },\n        {\n          priority = 10\n          actions  = [\"aws:forward_to_sfe\"]\n          source = {\n            address = \"0.0.0.0/0\"\n          }\n          destination = {\n            address = \"0.0.0.0/0\"\n          }\n        },\n      ]\n    }\n  }\n\n  # Stateful rules\n  stateful_rule_groups = {\n    # rules_source_list examples\n    stateful-group-1 = {\n      description = \"Stateful Inspection for denying access to domains\"\n      capacity    = 100\n      #rule_variables = {}\n      rules_source_list = {\n        generated_rules_type = \"DENYLIST\"\n        target_types         = [\"TLS_SNI\", \"HTTP_HOST\"]\n        targets              = [\".bad-omain.org\", \".evil-domain.com\"]\n      }\n    }\n  }\n}\n```\n\nYou can check the [complete example](examples/complete/) for other usages.\n\n\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n## Requirements\n\nNo requirements.\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | n/a |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_networkfirewall_firewall.firewall](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall) | resource |\n| [aws_networkfirewall_firewall_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource |\n| [aws_networkfirewall_rule_group.stateful_rule_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |\n| [aws_networkfirewall_rule_group.stateless_rule_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |\n\n## Inputs\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_create_network_firewall\"\u003e\u003c/a\u003e [create\\_network\\_firewall](#input\\_create\\_network\\_firewall) | Set to false if you just want to create the security policy, stateless and stateful rules | `bool` | `true` | no |\n| \u003ca name=\"input_delete_protection\"\u003e\u003c/a\u003e [delete\\_protection](#input\\_delete_protection) | A boolean flag indicating whether it is possible to delete the firewall. | `bool` | `false` | no |\n| \u003ca name=\"input_description\"\u003e\u003c/a\u003e [description](#input\\_description) | A friendly description of the firewall. | `string` | `null` | no |\n| \u003ca name=\"input_enabled\"\u003e\u003c/a\u003e [enabled](#input\\_enabled) | Change to false to avoid deploying AWS Network Firewall resources. | `bool` | `true` | no |\n| \u003ca name=\"input_firewall_policy_change_protection\"\u003e\u003c/a\u003e [firewall\\_policy\\_change\\_protection](#input\\_firewall\\_policy\\_change_protection) | A boolean flag indicating whether it is possible to change the associated firewall policy. | `bool` | `false` | no |\n| \u003ca name=\"input_firewall_policy_name\"\u003e\u003c/a\u003e [firewall\\_policy_name](#input\\_firewall\\_policy_name) | A friendly name of the firewall policy. | `string` | `null` | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | A friendly name of the firewall. | `string` | n/a | yes |\n| \u003ca name=\"input_vpc_id\"\u003e\u003c/a\u003e [vpc\\_id](#input\\_vpc\\_id) | The unique identifier of the VPC where AWS Network Firewall should create the firewall. | `string` | n/a | yes |\n| \u003ca name=\"input_subnet_mapping\"\u003e\u003c/a\u003e [subnet\\_mapping](#input\\_subnet\\_mapping) | Subnets map. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. | `map(any)` | n/a | yes |\n| \u003ca name=\"input_stateless_default_actions\"\u003e\u003c/a\u003e [stateless\\_default\\_actions](#input\\_stateless\\_default\\_actions) | Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sf`. | `list(any)` | `[\"aws:drop\"]` | no |\n| \u003ca name=\"input_stateless_fragment_default_actions\"\u003e\u003c/a\u003e [stateless\\_fragment\\_default_actions](#input\\_stateless\\_fragment\\_default_actions) | Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. | `list(any)` | `[\"aws:drop\"]` | no |\n| \u003ca name=\"input_stateless_rule_groups\"\u003e\u003c/a\u003e [stateless\\_rule\\_groups](#input\\_stateless\\_rule\\_groups) | Map of stateless rules groups, including custom actions. | `any` | `{}` | no |\n| \u003ca name=\"input_stateful_rule_groups\"\u003e\u003c/a\u003e [stateful\\_rule\\_groups](#input\\_stateful\\_rule\\_groups) | Map of stateful rules groups, including Suricata and AWS Managed Rules. | `any` | `{}` | no |\n| \u003ca name=\"input_stateful_suricata_rule_groups\"\u003e\u003c/a\u003e [stateful\\_suricata_rule_groups](#input\\_stateful\\_suricata\\_rule\\_groups) | Map of custom Suricata rules for stateful inspection. | `any` | `{}` | no |\n| \u003ca name=\"input_managed_rule_groups\"\u003e\u003c/a\u003e [managed\\_rule\\_groups](#input\\_managed\\_rule\\_groups) | Map of AWS Managed Rule Groups for stateful inspection. | `any` | `{}` | no |\n| \u003ca name=\"input_rule_order\"\u003e\u003c/a\u003e [rule\\_order](#input\\_rule\\_order) | The order in which stateless rules are evaluated: `STRICT_ORDER` or `DEFAULT_ACTION_ORDER`. | `string` | `\"DEFAULT_ACTION_ORDER\"` | no |\n| \u003ca name=\"input_stream_exception_policy\"\u003e\u003c/a\u003e [stream\\_exception\\_policy](#input\\_stream_exception\\_policy) | Policy for handling stream exceptions: `DROP`, `CONTINUE`, or `REJECT`. | `string` | `\"DROP\"` | no |\n| \u003ca name=\"input_home_net_cidr\"\u003e\u003c/a\u003e [home\\_net\\_cidr](#input\\_home\\_net\\_cidr) | CIDR block to define the home network for the firewall rules. | `string` | n/a | yes |\n\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_arn\"\u003e\u003c/a\u003e [arn](#output\\_arn) | The Amazon Resource Name (ARN) that identifies the firewall. |\n| \u003ca name=\"output_id\"\u003e\u003c/a\u003e [id](#output\\_id) | The ID that identifies the firewall. |\n| \u003ca name=\"output_network_firewall_policy\"\u003e\u003c/a\u003e [network\\_firewall\\_policy](#output\\_network\\_firewall\\_policy) | The Firewall Network policy created. |\n| \u003ca name=\"output_network_firewall_stateful_group\"\u003e\u003c/a\u003e [network\\_firewall\\_stateful\\_group](#output\\_network\\_firewall\\_stateful\\_group) | Map of stateful group rules. |\n| \u003ca name=\"output_network_firewall_stateless_group\"\u003e\u003c/a\u003e [network\\_firewall\\_stateless\\_group](#output\\_network\\_firewall\\_stateless\\_group) | Map of stateless group rules. |\n| \u003ca name=\"output_network_firewall_status\"\u003e\u003c/a\u003e [network\\_firewall\\_status](#output\\_network\\_firewall\\_status) | Nested list of information about the current status of the firewall. |\n| \u003ca name=\"output_network_firewall_suricata_rule_groups\"\u003e\u003c/a\u003e [network\\_firewall\\_suricata\\_rule\\_groups](#output\\_network\\_firewall\\_suricata\\_rule\\_groups) | Map of Suricata rule groups for stateful inspection. |\n| \u003ca name=\"output_network_firewall_managed_rule_groups\"\u003e\u003c/a\u003e [network\\_firewall\\_managed\\_rule\\_groups](#output\\_network\\_firewall\\_managed\\_rule\\_groups) | Map of AWS Managed Rule Groups for stateful inspection. |\n\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbinbashar%2Fterraform-aws-network-firewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbinbashar%2Fterraform-aws-network-firewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbinbashar%2Fterraform-aws-network-firewall/lists"}